HTTP TRACE is enabled

http-trace-enabled (11237) The risk level is classified as LowLow Risk

Description:

HTTP TRACE support is enabled on the Web server. The HTTP TRACE method as described in RFC 2616 of the HTTP 1.1 standard is typically used for debugging and network analysis purposes to request the contents of HTTP request messages received by the Web server. On Web servers with HTTP TRACE support enabled, a remote attacker could leverage this functionality with known cross-site scripting and other Web browser vulnerabilities to obtain sensitive information about the Web server, including server cookies and authentication information. This information could then be used by the attacker to launch further attacks against the affected Web server.

Platforms Affected:

  • Apache, HTTP Server
  • Apple, Mac OS
  • Cisco, IOS
  • Compaq, Tru64
  • Data General, DG/UX
  • HP, HP-UX
  • IBM, AIX
  • IBM, OS/2
  • Linux, Linux
  • Microsoft, IIS
  • Microsoft, Windows 2000
  • Microsoft, Windows 2003 Server
  • Microsoft, Windows 95
  • Microsoft, Windows 98
  • Microsoft, Windows 98SE
  • Microsoft, Windows Me
  • Microsoft, Windows NT 4.0
  • Microsoft, Windows XP
  • Novell, NetWare
  • SCO, SCO Unix
  • SGI, IRIX
  • Sun, Solaris
  • WindRiver, BSDOS

Remedy:

Administrators should disable HTTP TRACE support on the Web server. HTTP TRACE support can be disabled on Apache HTTP Server using the mod_rewrite module and on Microsoft Internet Information Services (IIS) using the URLScan tool.

Consequences:

Informational

References:

  • IBM Internet Security Systems X-Force Database, Multiple vendor Web servers HTTP TRACE method information disclosure at http://xforce.iss.net/xforce/xfdb/11149.
  • Internet RFC/STD/FYI/BCP Archives, Hypertext Transfer Protocol -- HTTP/1.1 at http://www.faqs.org/rfcs/rfc2616.html.
  • CVE-2004-2320: The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.
  • CVE-2005-3398: The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers.
  • CVE-2007-3008: Mbedthis AppWeb before 2.2.2 enables the HTTP TRACE method, which has unspecified impact probably related to remote information leaks and cross-site tracing (XST) attacks, a related issue to CVE-2004-2320 and CVE-2005-3398.

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page